IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  ISAM: get request attributes in PreTokenGeneration

    Posted Tue February 25, 2020 09:16 AM
    I want to check all attributes  in request like attributes in header before generate access token so how can get all attributes from request in PreTokenGeneration mapping rules

    ------------------------------
    mohamed ghonem
    ------------------------------


  • 2.  RE: ISAM: get request attributes in PreTokenGeneration

    Posted Wed February 26, 2020 05:23 AM
    Hi

    you can review what attributes are available in stsuu, mainly part of credentials and then later you can fetch them and use like this in pretoken rule . stsuu will give you detailed idea on what's available to fetch

    if(request_type =='authorization' && response_type =='code')
    {

    //code to get all the attributes in pretoken rule

    IDMappingExtUtils.traceString(" List all Attributes in STSUU of type urn:ibm:names:ITFIM:5.1:accessmanager");
    var attribute_list=stsuu.getAttributeContainer().getAttributesByType("urn:ibm:names:ITFIM:5.1:accessmanager");

    IDMappingExtUtils.traceString(" Lgot attribute list");

    for( var i=0;i< attribute_list.length;i++)
    {
    attr_name=attribute_list[i].getName();
    IDMappingExtUtils.traceString("Name of Attribute:"+attr_name);
    attr_values=attribute_list[i].getValues();
    if(attr_values != null && attr_values.length >0)
    {

    for(var j=0;j<attr_values.length;j++)
    {
    IDMappingExtUtils.traceString("Printing Value:"+attr_values[j]);
    }
    }
    }
    }

    ------------------------------
    Tushar
    Tushar
    ------------------------------

    Original Message


  • 3.  RE: ISAM: get request attributes in PreTokenGeneration

    Posted Wed February 26, 2020 09:57 AM
    Hi 
    thanks for supporting 
    i used your code but i found only one attribute "oidc_username" .
    And i want to see  all attributes return from request.

    ------------------------------
    mohamed ghonem
    ------------------------------

    Original Message


  • 4.  RE: ISAM: get request attributes in PreTokenGeneration

    Posted Wed February 26, 2020 10:19 AM
    Hi Mohamed,

    If you want to see what's available to your in the PreToken Mapping Rule, you can see it using:
    IDMappingExtUtils.traceString("incoming stsuu = " + stsuu.toString());
    If you then look into the trace.log file, you see the STSUU XML object, and this is what ISAM has tokenized for your context. Then calling the right containers, you can extract those values.

    Hope it helps.

    ------------------------------
    Dries Eestermans
    IS4U
    ------------------------------

    Original Message


  • 5.  RE: ISAM: get request attributes in PreTokenGeneration

    Posted Thu February 27, 2020 01:04 AM
    HI

    The above code will just help you to get the attributes during the /authorize calls. you can see them in the logs.

    furthermore. if you would like to be included into id_token or other endpoint response then you need to do additional work.

    could you clarify more on , where you see oidc_username? is it a token that you look into?

    ------------------------------
    Tushar
    Tushar
    ------------------------------

    Original Message


  • 6.  RE: ISAM: get request attributes in PreTokenGeneration

    Posted Thu February 27, 2020 07:28 AM
    Hi 
    It works well but i want to get attributes in header of request like "user agent  , cookies,referre....etc"
    thanks for supporting 


    ------------------------------
    mohamed ghonem
    ------------------------------

    Original Message


  • 7.  RE: ISAM: get request attributes in PreTokenGeneration

    Posted Fri February 28, 2020 02:52 AM

    Try taking a look at Advanced Configuration parameters:

    - sps.httpRequestClaims.enabled (by default is false, try true)
    - sps.httpRequestClaims.filterSpec (this should be set by default)

    Trace the entire stsuu in the pre-token mapping rule when accessing the /authorize endpoint and see if there is any extra data in there.

    Really you should not be doing this in a pre-token mapping rule at all, but instead using an access policy associated with the OAuth protection definition, or context-based authorization policy attached to the /authorize resource to make decisions about the authenticity of the request.



    ------------------------------
    Shane Weeden
    IBM
    ------------------------------

    Original Message


  • 8.  RE: ISAM: get request attributes in PreTokenGeneration

    Posted Fri February 28, 2020 09:05 AM

    You can try adding this snippet

    // Example: Retrieve HTTP request claim, which contains various information
    //          about the incoming HTTP request (e.g., headers, cookies, POST
    //          parameters, query string parameters). HTTP request claim can be
    //          configured using advanced configurations under category
    //          "sps.httpRequestClaims"./*
    var claims = stsuu.getRequestSecurityToken().getAttributeByName("Claims").getNodeValues();for (var i = 0; i < claims.length; i++) {
        var dialect = claims[i].getAttribute("Dialect");    if ("urn:ibm:names:ITFIM:httprequest".equalsIgnoreCase(dialect)) {
            var headers = claims[i].getElementsByTagName("Header");        for (var j = 0; j < headers.getLength(); j++) {
                var header = headers.item(j);
                var name   = header.getAttribute("Name");
                var values = header.getElementsByTagName("Value");            for (var k = 0; k < values.getLength(); k++) {
                    var value = values.item(k).getTextContent();                IDMappingExtUtils.traceString("Header with name [" + name + "] and value [" + value + "]");
                }
            }
        }
    }


    ------------------------------
    Sumana Narasipur
    ------------------------------

    Original Message


  • 9.  RE: ISAM: get request attributes in PreTokenGeneration

    Posted Sat February 29, 2020 08:05 AM
    Hi 
    thanks for supporting 
    it worked  when i enabled the sps.httpRequestClaims.enabled at Advanced Configuration parameters and  I added  this code :
     
    // Example: Retrieve HTTP request claim, which contains various information
    //          about the incoming HTTP request (e.g., headers, cookies, POST
    //          parameters, query string parameters). HTTP request claim can be
    //          configured using advanced configurations under category
    //          "sps.httpRequestClaims"./*
    var claims = stsuu.getRequestSecurityToken().getAttributeByName("Claims").getNodeValues();for (var i = 0; i < claims.length; i++) {
        var dialect = claims[i].getAttribute("Dialect");    if ("urn:ibm:names:ITFIM:httprequest".equalsIgnoreCase(dialect)) {
            var headers = claims[i].getElementsByTagName("Header");        for (var j = 0; j < headers.getLength(); j++) {
                var header = headers.item(j);
                var name   = header.getAttribute("Name");
                var values = header.getElementsByTagName("Value");            for (var k = 0; k < values.getLength(); k++) {
                    var value = values.item(k).getTextContent();                IDMappingExtUtils.traceString("Header with name [" + name + "] and value [" + value + "]");
                }
            }
        }
    }

    thanks

    ------------------------------
    mohamed ghonem
    ------------------------------

    Original Message


Related Content